The state of Mac malware

Mac users are often told that they don’t need antivirus software, because there are no Mac viruses. However, this is not true at all, as Macs actually are affected by malware, and have been for most of their existence. Even the first well-known virus—Elk Cloner—affected Apple computers rather than MS-DOS computers.

In 2018, the state of Mac malware has evolved, with more and more threats targeting these so-called impervious machines. We have already seen four new Mac threats appear. The first of these, OSX.MaMi, was discovered on our forums by someone who had had his DNS settings changed and was unable to change them back.

The malware that was discovered on his system acted to change these settings and ensure that they remained changed. Additionally, it installed a new trusted root certificate in the keychain.

These two actions are highly dangerous. By redirecting the computer’s DNS lookups to a malicious server, the hackers behind this malware could direct traffic to legitimate sites, such as bank sites, Amazon, and Apple’s iCloud/Apple ID services, to malicious phishing sites. The addition of a new certificate could be used to perform a “man-in-the-middle” attack, making these phishing sites appear to be legitimate.

Thus, this malware was likely interested in using phishing sites to steal credentials, although we don’t know what sites were targeted.

The second malware was discovered via research into nation-state malware, called Dark Caracal, by Lookout. The report mentioned a new cross-platform RAT (remote access tool, aka backdoor), which it called CrossRAT, which is capable of infecting Macs, among other systems. This malware, written in Java, provided some basic remote backdoor access to infected Mac systems. Although not very complete, this malware was only a version 0.1, indicating that it is probably in an early stage of development.

Although Macs no longer come with Java preinstalled, and haven’t for years, it’s important to keep in mind that nation-state malware is often crafted and used with some knowledge of the target(s) in mind. The targets intended to be infected with this malware may have had reason to install Java, or it may have been installed via physical (or some other) access by a hacker targeting specific individuals.

The next piece of malware was named OSX.CreativeUpdate, and was originally discovered through a supply chain attack involving the MacUpdate website. The MacUpdate website was hacked, and the download links for some popular Mac apps, including Firefox, were replaced with malicious links.

These kinds of supply chain attacks are particularly dangerous, even capable of infecting savvy members of the development and security community, as was documented by Panic, Inc. in The Case of the Stolen Source Code.

Users who downloaded the affected apps from MacUpdate ended up with lookalike malicious apps. These apps would install malware on the system, then open the original app, which was bundled inside the malicious app, to make it appear normal. This helped cover up the fact that something shady was going on.

The malware, once installed, used the computer’s CPU to mine a cryptocurrency called Monero (a currency similar to Bitcoin). This would result in the computer slowing down and the fans starting to run at high speed. This has a number of negative impacts, such as significant hits on the performance of the computer, reduced battery life, increased usage of electricity, and even potential for overheating the computer and damaging the hardware (especially if the fans were not working at peak capacity or the vents were clogged with dust).

The most recent piece of malware, called OSX.Coldroot, was a generic backdoor that provided all the usual access to the system that a typical backdoor does. However, some aspects of its installation will fail on any modern system (macOS 10.11, aka El Capitan, or later), and due to bugs it will fail entirely on some systems. This malware didn’t seem like much of a threat, but could still be dangerous on the right system.

These are simply some of the most recent examples. Mac malware saw an increase of over 270 percent between 2016 and 2017. Last year saw the appearance of many new backdoors, such as the now infamous Fruitfly malware, first documented by Malwarebytes, which was used by an Ohio man to capture personal data, and was even used to generate child pornography.

This doesn’t address the rising threat of adware and PUPs (potentially unwanted programs, usually scam software in the guise of legitimate software). These kinds of threats have become pervasive in the last few years, even invading the Mac App Store to the degree that certain classes of software—such as antivirus or anti-adware software—in the App Store are almost entirely PUPs and cannot be trusted.

Unfortunately, many Mac users still have serious misperceptions about the security of macOS. Some will still tell people that “Macs don’t get viruses,” hiding the truth behind a technicality that no Mac malware quite fits the strict definition of what it means to be a “virus.” Others are under the mistaken belief that Macs are invulnerable, saying things like, “Macs are sandboxed, so they can’t be infected.”

In this environment, the average Mac user has no effective protection to prevent them from being infected with malware, much less the far more common threats posed by adware and PUPs. Worse, because they believe that there are no threats, they often do not exercise the same caution online that they would on a Windows machine.

Apple’s macOS includes some good security features that are helpful, but they are easily bypassed by new malware, and they don’t address the adware and PUP problem at all. macOS cannot be considered bulletproof.